suricata
detect-dns-query.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup dnslayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "suricata-common.h"
32 #include "threads.h"
33 #include "decode.h"
34 #include "detect.h"
35 
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-build.h"
39 #include "detect-engine-mpm.h"
42 #include "detect-content.h"
43 #include "detect-pcre.h"
44 
45 #include "flow.h"
46 #include "flow-util.h"
47 #include "flow-var.h"
48 
49 #include "util-debug.h"
50 #include "util-unittest.h"
51 #include "util-spm.h"
52 #include "util-print.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "detect-dns-query.h"
59 
60 #include "util-profiling.h"
61 #include "util-unittest-helper.h"
62 #include "rust.h"
63 
64 static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, const char *);
65 #ifdef UNITTESTS
66 static void DetectDnsQueryRegisterTests(void);
67 #endif
68 static int g_dns_query_buffer_id = 0;
69 
71  uint32_t local_id; /**< used as index into thread inspect array */
72  void *txv;
73 };
74 
75 static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
76  const DetectEngineTransforms *transforms, Flow *f, struct DnsQueryGetDataArgs *cbdata,
77  int list_id)
78 {
79  SCEnter();
80 
81  InspectionBuffer *buffer =
82  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
83  if (buffer == NULL)
84  return NULL;
85  if (buffer->initialized)
86  return buffer;
87 
88  const uint8_t *data;
89  uint32_t data_len;
90  if (rs_dns_tx_get_query_name(cbdata->txv, cbdata->local_id, &data, &data_len) == 0) {
91  return NULL;
92  }
93  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
94 
95  SCReturnPtr(buffer, "InspectionBuffer");
96 }
97 
98 static uint8_t DetectEngineInspectDnsQuery(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
99  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
100  void *alstate, void *txv, uint64_t tx_id)
101 {
102  uint32_t local_id = 0;
103 
104  const DetectEngineTransforms *transforms = NULL;
105  if (!engine->mpm) {
106  transforms = engine->v2.transforms;
107  }
108 
109  while(1) {
110  struct DnsQueryGetDataArgs cbdata = { local_id, txv, };
111  InspectionBuffer *buffer =
112  DnsQueryGetData(det_ctx, transforms, f, &cbdata, engine->sm_list);
113  if (buffer == NULL || buffer->inspect == NULL)
114  break;
115 
116  det_ctx->buffer_offset = 0;
117  det_ctx->discontinue_matching = 0;
118  det_ctx->inspection_recursion_counter = 0;
119 
120  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
121  NULL, f,
122  (uint8_t *)buffer->inspect,
123  buffer->inspect_len,
126  if (match == 1) {
128  }
129  local_id++;
130  }
132 }
133 
134 typedef struct PrefilterMpmDnsQuery {
135  int list_id;
136  const MpmCtx *mpm_ctx;
139 
140 /** \brief DnsQuery DnsQuery Mpm prefilter callback
141  *
142  * \param det_ctx detection engine thread ctx
143  * \param p packet to inspect
144  * \param f flow to inspect
145  * \param txv tx to inspect
146  * \param pectx inspection context
147  */
148 static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
149  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
150 {
151  SCEnter();
152 
153  const PrefilterMpmDnsQuery *ctx = (const PrefilterMpmDnsQuery *)pectx;
154  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
155  const int list_id = ctx->list_id;
156 
157  uint32_t local_id = 0;
158  while(1) {
159  // loop until we get a NULL
160 
161  struct DnsQueryGetDataArgs cbdata = { local_id, txv };
162  InspectionBuffer *buffer = DnsQueryGetData(det_ctx, ctx->transforms, f, &cbdata, list_id);
163  if (buffer == NULL)
164  break;
165 
166  if (buffer->inspect_len >= mpm_ctx->minlen) {
167  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
168  &det_ctx->mtcu, &det_ctx->pmq,
169  buffer->inspect, buffer->inspect_len);
170  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
171  }
172 
173  local_id++;
174  }
175 }
176 
177 static void PrefilterMpmDnsQueryFree(void *ptr)
178 {
179  SCFree(ptr);
180 }
181 
182 static int PrefilterMpmDnsQueryRegister(DetectEngineCtx *de_ctx,
183  SigGroupHead *sgh, MpmCtx *mpm_ctx,
184  const DetectBufferMpmRegistery *mpm_reg, int list_id)
185 {
186  PrefilterMpmDnsQuery *pectx = SCCalloc(1, sizeof(*pectx));
187  if (pectx == NULL)
188  return -1;
189  pectx->list_id = list_id;
190  pectx->mpm_ctx = mpm_ctx;
191  pectx->transforms = &mpm_reg->transforms;
192 
193  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDnsQuery,
194  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
195  pectx, PrefilterMpmDnsQueryFree, mpm_reg->pname);
196 }
197 
198 /**
199  * \brief Registration function for keyword: dns_query
200  */
202 {
203  sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
205  sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
206  sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
207  sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
208 #ifdef UNITTESTS
209  sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
210 #endif
213 
215  PrefilterMpmDnsQueryRegister, NULL,
216  ALPROTO_DNS, 1);
217 
220  DetectEngineInspectDnsQuery, NULL);
221 
223  "dns request query");
224 
225  g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
226 
227 #ifdef HAVE_LUA
228  /* register these generic engines from here for now */
233 
235  "dns requests");
237  "dns responses");
238 #endif
239 }
240 
241 
242 /**
243  * \brief setup the dns_query sticky buffer keyword used in the rule
244  *
245  * \param de_ctx Pointer to the Detection Engine Context
246  * \param s Pointer to the Signature to which the current keyword belongs
247  * \param str Should hold an empty string always
248  *
249  * \retval 0 On success
250  * \retval -1 On failure
251  */
252 
253 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
254 {
255  if (DetectBufferSetActiveList(s, g_dns_query_buffer_id) < 0)
256  return -1;
258  return -1;
259  return 0;
260 }
261 
262 #ifdef UNITTESTS
263 #include "detect-isdataat.h"
264 #include "detect-engine-alert.h"
265 
266 /** \test simple google.com query matching */
267 static int DetectDnsQueryTest01(void)
268 {
269  /* google.com */
270  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
271  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
273  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
274  0x00, 0x10, 0x00, 0x01, };
275  Flow f;
276  void *dns_state = NULL;
277  Packet *p = NULL;
278  Signature *s = NULL;
279  ThreadVars tv;
280  DetectEngineThreadCtx *det_ctx = NULL;
282 
283  memset(&tv, 0, sizeof(ThreadVars));
284  memset(&f, 0, sizeof(Flow));
285 
286  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
287  "192.168.1.5", "192.168.1.1",
288  41424, 53);
289 
290  FLOW_INITIALIZE(&f);
291  f.flags |= FLOW_IPV4;
292  f.proto = IPPROTO_UDP;
294 
295  p->flow = &f;
296  p->flags |= PKT_HAS_FLOW;
298  f.alproto = ALPROTO_DNS;
299 
303  de_ctx->flags |= DE_QUIET;
304 
305  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
306  "(msg:\"Test dns_query option\"; "
307  "dns_query; content:\"google\"; nocase; sid:1;)");
308  FAIL_IF_NULL(s);
309 
311  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
312 
313  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
314  STREAM_TOSERVER, buf, sizeof(buf));
315  if (r != 0) {
316  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
317  FAIL;
318  }
319 
320  dns_state = f.alstate;
321  FAIL_IF_NULL(dns_state);
322 
323  /* do detect */
324  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
325 
326  if (!(PacketAlertCheck(p, 1))) {
327  printf("sig 1 didn't alert, but it should have: ");
328  FAIL;
329  }
330 
331  if (alp_tctx != NULL)
333  if (det_ctx != NULL)
334  DetectEngineThreadCtxDeinit(&tv, det_ctx);
335  if (de_ctx != NULL)
337  if (de_ctx != NULL)
339 
340  FLOW_DESTROY(&f);
341  UTHFreePacket(p);
342  PASS;
343 }
344 
345 /** \test multi tx google.(com|net) query matching */
346 static int DetectDnsQueryTest02(void)
347 {
348  /* google.com */
349  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
350  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
351  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
352  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
353  0x00, 0x01, 0x00, 0x01, };
354 
355  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
356  0x81, 0x80, /* flags: resp, recursion desired, recursion available */
357  0x00, 0x01, /* 1 query */
358  0x00, 0x01, /* 1 answer */
359  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
360  /* query record */
361  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
362  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
363  0x00, 0x01, 0x00, 0x01, /* type a, class in */
364  /* answer */
365  0xc0, 0x0c, /* ref to name in query above */
366  0x00, 0x01, 0x00, 0x01, /* type a, class in */
367  0x00, 0x01, 0x40, 0xef, /* ttl */
368  0x00, 0x04, /* data len */
369  0x01, 0x02, 0x03, 0x04 }; /* addr */
370 
371  /* google.net */
372  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
374  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
375  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
376  0x00, 0x10, 0x00, 0x01, };
377  Flow f;
378  void *dns_state = NULL;
379  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
380  Signature *s = NULL;
381  ThreadVars tv;
382  DetectEngineThreadCtx *det_ctx = NULL;
384 
385  memset(&tv, 0, sizeof(ThreadVars));
386  memset(&f, 0, sizeof(Flow));
387 
388  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
389  "192.168.1.5", "192.168.1.1",
390  41424, 53);
391  p2 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
392  "192.168.1.5", "192.168.1.1",
393  41424, 53);
394  p3 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
395  "192.168.1.5", "192.168.1.1",
396  41424, 53);
397 
398  FLOW_INITIALIZE(&f);
399  f.flags |= FLOW_IPV4;
400  f.proto = IPPROTO_UDP;
402  f.alproto = ALPROTO_DNS;
403 
404  p1->flow = &f;
405  p1->flags |= PKT_HAS_FLOW;
407  p1->pcap_cnt = 1;
408 
409  p2->flow = &f;
410  p2->flags |= PKT_HAS_FLOW;
411  p2->flowflags |= FLOW_PKT_TOCLIENT;
412  p2->pcap_cnt = 2;
413 
414  p3->flow = &f;
415  p3->flags |= PKT_HAS_FLOW;
416  p3->flowflags |= FLOW_PKT_TOSERVER;
417  p3->pcap_cnt = 3;
418 
422  de_ctx->flags |= DE_QUIET;
423 
424  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
425  "(msg:\"Test dns_query option\"; "
426  "dns_query; content:\"google.com\"; nocase; sid:1;)");
427  FAIL_IF_NULL(s);
428  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
429  "(msg:\"Test dns_query option\"; "
430  "dns_query; content:\"google.net\"; nocase; sid:2;)");
431  FAIL_IF_NULL(s);
432 
434  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
435 
436  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
437  STREAM_TOSERVER, buf1, sizeof(buf1));
438  if (r != 0) {
439  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
440  FAIL;
441  }
442 
443  dns_state = f.alstate;
444  FAIL_IF_NULL(dns_state);
445 
446  /* do detect */
447  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
448 
449  if (!(PacketAlertCheck(p1, 1))) {
450  printf("(p1) sig 1 didn't alert, but it should have: ");
451  FAIL;
452  }
453  if (PacketAlertCheck(p1, 2)) {
454  printf("(p1) sig 2 did alert, but it should not have: ");
455  FAIL;
456  }
457 
458  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
459  buf2, sizeof(buf2));
460  if (r != 0) {
461  printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
462  FAIL;
463  }
464 
465  /* do detect */
466  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
467 
468  if (PacketAlertCheck(p2, 1)) {
469  printf("(p2) sig 1 alerted, but it should not have: ");
470  FAIL;
471  }
472  if (PacketAlertCheck(p2, 2)) {
473  printf("(p2) sig 2 alerted, but it should not have: ");
474  FAIL;
475  }
476 
477  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
478  buf3, sizeof(buf3));
479  if (r != 0) {
480  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
481  FAIL;
482  }
483 
484  /* do detect */
485  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
486 
487  if (PacketAlertCheck(p3, 1)) {
488  printf("(p3) sig 1 alerted, but it should not have: ");
489  FAIL;
490  }
491  if (!(PacketAlertCheck(p3, 2))) {
492  printf("(p3) sig 2 didn't alert, but it should have: ");
493  FAIL;
494  }
495 
496  if (alp_tctx != NULL)
498  if (det_ctx != NULL)
499  DetectEngineThreadCtxDeinit(&tv, det_ctx);
500  if (de_ctx != NULL)
502  if (de_ctx != NULL)
504 
505  FLOW_DESTROY(&f);
506  UTHFreePacket(p1);
507  UTHFreePacket(p2);
508  UTHFreePacket(p3);
509  PASS;
510 }
511 
512 /** \test simple google.com query matching (TCP) */
513 static int DetectDnsQueryTest03(void)
514 {
515  /* google.com */
516  uint8_t buf[] = { 0x00, 28,
517  0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
518  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
519  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
520  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
521  0x00, 0x10, 0x00, 0x01, };
522  Flow f;
523  void *dns_state = NULL;
524  Packet *p = NULL;
525  Signature *s = NULL;
526  ThreadVars tv;
527  DetectEngineThreadCtx *det_ctx = NULL;
528  TcpSession ssn;
530 
531  memset(&tv, 0, sizeof(ThreadVars));
532  memset(&f, 0, sizeof(Flow));
533  memset(&ssn, 0, sizeof(TcpSession));
534 
535  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
536  "192.168.1.5", "192.168.1.1",
537  41424, 53);
538 
539  FLOW_INITIALIZE(&f);
540  f.protoctx = (void *)&ssn;
541  f.flags |= FLOW_IPV4;
542  f.proto = IPPROTO_TCP;
544 
545  p->flow = &f;
548  f.alproto = ALPROTO_DNS;
549 
550  StreamTcpInitConfig(true);
551 
555  de_ctx->flags |= DE_QUIET;
556 
557  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
558  "(msg:\"Test dns_query option\"; "
559  "dns_query; content:\"google\"; nocase; sid:1;)");
560  FAIL_IF_NULL(s);
561 
563  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
564 
565  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
566  STREAM_TOSERVER, buf, sizeof(buf));
567  if (r != 0) {
568  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
569  FAIL;
570  }
571 
572  dns_state = f.alstate;
573  FAIL_IF_NULL(dns_state);
574 
575  /* do detect */
576  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
577 
578  if (!(PacketAlertCheck(p, 1))) {
579  printf("sig 1 didn't alert, but it should have: ");
580  FAIL;
581  }
582 
583  if (alp_tctx != NULL)
585  if (det_ctx != NULL)
586  DetectEngineThreadCtxDeinit(&tv, det_ctx);
587  if (de_ctx != NULL)
589  if (de_ctx != NULL)
591 
592  StreamTcpFreeConfig(true);
593  FLOW_DESTROY(&f);
594  UTHFreePacket(p);
595  PASS;
596 }
597 
598 
599 /** \test simple google.com query matching, pcre */
600 static int DetectDnsQueryTest04(void)
601 {
602  /* google.com */
603  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
604  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
605  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
606  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
607  0x00, 0x10, 0x00, 0x01, };
608  Flow f;
609  void *dns_state = NULL;
610  Packet *p = NULL;
611  Signature *s = NULL;
612  ThreadVars tv;
613  DetectEngineThreadCtx *det_ctx = NULL;
615 
616  memset(&tv, 0, sizeof(ThreadVars));
617  memset(&f, 0, sizeof(Flow));
618 
619  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
620  "192.168.1.5", "192.168.1.1",
621  41424, 53);
622 
623  FLOW_INITIALIZE(&f);
624  f.flags |= FLOW_IPV4;
625  f.proto = IPPROTO_UDP;
627 
628  p->flow = &f;
629  p->flags |= PKT_HAS_FLOW;
631  f.alproto = ALPROTO_DNS;
632 
636  de_ctx->flags |= DE_QUIET;
637 
638  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
639  "(msg:\"Test dns_query option\"; "
640  "dns_query; content:\"google\"; nocase; "
641  "pcre:\"/google\\.com$/i\"; sid:1;)");
642  FAIL_IF_NULL(s);
643  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
644  "(msg:\"Test dns_query option\"; "
645  "dns_query; content:\"google\"; nocase; "
646  "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
647  FAIL_IF_NULL(s);
648 
650  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
651 
652  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
653  STREAM_TOSERVER, buf, sizeof(buf));
654  if (r != 0) {
655  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
656  FAIL;
657  }
658 
659  dns_state = f.alstate;
660  FAIL_IF_NULL(dns_state);
661 
662  /* do detect */
663  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
664 
665  if (!(PacketAlertCheck(p, 1))) {
666  printf("sig 1 didn't alert, but it should have: ");
667  FAIL;
668  }
669  if (!(PacketAlertCheck(p, 2))) {
670  printf("sig 2 didn't alert, but it should have: ");
671  FAIL;
672  }
673 
674  if (alp_tctx != NULL)
676  if (det_ctx != NULL)
677  DetectEngineThreadCtxDeinit(&tv, det_ctx);
678  if (de_ctx != NULL)
680  if (de_ctx != NULL)
682 
683  FLOW_DESTROY(&f);
684  UTHFreePacket(p);
685  PASS;
686 }
687 
688 /** \test multi tx google.(com|net) query matching +
689  * app layer event */
690 static int DetectDnsQueryTest05(void)
691 {
692  /* google.com */
693  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
694  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
695  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
696  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
697  0x00, 0x01, 0x00, 0x01, };
698 
699  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
700  0x81, 0x80|0x40, /* flags: resp, recursion desired, recursion available */
701  0x00, 0x01, /* 1 query */
702  0x00, 0x01, /* 1 answer */
703  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
704  /* query record */
705  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
706  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
707  0x00, 0x01, 0x00, 0x01, /* type a, class in */
708  /* answer */
709  0xc0, 0x0c, /* ref to name in query above */
710  0x00, 0x01, 0x00, 0x01, /* type a, class in */
711  0x00, 0x01, 0x40, 0xef, /* ttl */
712  0x00, 0x04, /* data len */
713  0x01, 0x02, 0x03, 0x04 }; /* addr */
714 
715  /* google.net */
716  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
717  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
718  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
719  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
720  0x00, 0x10, 0x00, 0x01, };
721  Flow f;
722  void *dns_state = NULL;
723  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
724  Signature *s = NULL;
725  ThreadVars tv;
726  DetectEngineThreadCtx *det_ctx = NULL;
728 
729  memset(&tv, 0, sizeof(ThreadVars));
730  memset(&f, 0, sizeof(Flow));
731 
732  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
733  "192.168.1.5", "192.168.1.1",
734  41424, 53);
735  p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_UDP,
736  "192.168.1.5", "192.168.1.1",
737  41424, 53);
738  p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_UDP,
739  "192.168.1.5", "192.168.1.1",
740  41424, 53);
741 
742  FLOW_INITIALIZE(&f);
743  f.flags |= FLOW_IPV4;
744  f.proto = IPPROTO_UDP;
746  f.alproto = ALPROTO_DNS;
747 
748  p1->flow = &f;
749  p1->flags |= PKT_HAS_FLOW;
751  p1->pcap_cnt = 1;
752 
753  p2->flow = &f;
754  p2->flags |= PKT_HAS_FLOW;
755  p2->flowflags |= FLOW_PKT_TOCLIENT;
756  p2->pcap_cnt = 2;
757 
758  p3->flow = &f;
759  p3->flags |= PKT_HAS_FLOW;
760  p3->flowflags |= FLOW_PKT_TOSERVER;
761  p3->pcap_cnt = 3;
762 
766  de_ctx->flags |= DE_QUIET;
767 
768  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
769  "(msg:\"Test dns_query option\"; "
770  "dns_query; content:\"google.com\"; nocase; sid:1;)");
771  FAIL_IF_NULL(s);
772  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
773  "(msg:\"Test dns_query option\"; "
774  "dns_query; content:\"google.net\"; nocase; sid:2;)");
775  FAIL_IF_NULL(s);
776  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
777  "(msg:\"Test Z flag event\"; "
778  "app-layer-event:dns.z_flag_set; sid:3;)");
779  FAIL_IF_NULL(s);
780 
782  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
783 
784  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
785  STREAM_TOSERVER, buf1, sizeof(buf1));
786  if (r != 0) {
787  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
788  FAIL;
789  }
790 
791  dns_state = f.alstate;
792  FAIL_IF_NULL(dns_state);
793 
794  /* do detect */
795  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
796 
797  if (!(PacketAlertCheck(p1, 1))) {
798  printf("(p1) sig 1 didn't alert, but it should have: ");
799  FAIL;
800  }
801  if (PacketAlertCheck(p1, 2)) {
802  printf("(p1) sig 2 did alert, but it should not have: ");
803  FAIL;
804  }
805 
806  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
807  buf2, sizeof(buf2));
808  if (r != 0) {
809  printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
810  FAIL;
811  }
812 
813  /* do detect */
814  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
815 
816  if (PacketAlertCheck(p2, 1)) {
817  printf("(p2) sig 1 alerted, but it should not have: ");
818  FAIL;
819  }
820  if (PacketAlertCheck(p2, 2)) {
821  printf("(p2) sig 2 alerted, but it should not have: ");
822  FAIL;
823  }
824  if (!(PacketAlertCheck(p2, 3))) {
825  printf("(p2) sig 3 didn't alert, but it should have: ");
826  FAIL;
827  }
828 
829  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
830  buf3, sizeof(buf3));
831  if (r != 0) {
832  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
833  FAIL;
834  }
835 
836  /* do detect */
837  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
838 
839  if (PacketAlertCheck(p3, 1)) {
840  printf("(p3) sig 1 alerted, but it should not have: ");
841  FAIL;
842  }
843  if (!(PacketAlertCheck(p3, 2))) {
844  printf("(p3) sig 2 didn't alert, but it should have: ");
845  FAIL;
846  }
847  /** \todo should not alert, bug #839
848  if (PacketAlertCheck(p3, 3)) {
849  printf("(p3) sig 3 did alert, but it should not have: ");
850  goto end;
851  }
852  */
853 
854  if (alp_tctx != NULL)
856  if (det_ctx != NULL)
857  DetectEngineThreadCtxDeinit(&tv, det_ctx);
858  if (de_ctx != NULL)
860  if (de_ctx != NULL)
862 
863  FLOW_DESTROY(&f);
864  UTHFreePacket(p1);
865  UTHFreePacket(p2);
866  UTHFreePacket(p3);
867  PASS;
868 }
869 
870 static int DetectDnsQueryIsdataatParseTest(void)
871 {
874  de_ctx->flags |= DE_QUIET;
875 
877  "alert dns any any -> any any ("
878  "dns_query; content:\"one\"; "
879  "isdataat:!4,relative; sid:1;)");
880  FAIL_IF_NULL(s);
881 
882  SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id];
883  FAIL_IF_NULL(sm);
885 
890 
892  PASS;
893 }
894 
895 static void DetectDnsQueryRegisterTests(void)
896 {
897  UtRegisterTest("DetectDnsQueryTest01", DetectDnsQueryTest01);
898  UtRegisterTest("DetectDnsQueryTest02", DetectDnsQueryTest02);
899  UtRegisterTest("DetectDnsQueryTest03 -- tcp", DetectDnsQueryTest03);
900  UtRegisterTest("DetectDnsQueryTest04 -- pcre", DetectDnsQueryTest04);
901  UtRegisterTest("DetectDnsQueryTest05 -- app layer event",
902  DetectDnsQueryTest05);
903 
904  UtRegisterTest("DetectDnsQueryIsdataatParseTest",
905  DetectDnsQueryIsdataatParseTest);
906 }
907 #endif
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1447
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1238
InspectionBuffer::initialized
bool initialized
Definition: detect.h:341
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
DetectEngineTransforms
Definition: detect.h:372
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DnsQueryGetDataArgs::local_id
uint32_t local_id
Definition: detect-dns-query.c:71
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:594
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:379
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:337
Packet_::flags
uint32_t flags
Definition: decode.h:463
DnsQueryGetDataArgs::txv
void * txv
Definition: detect-dns-query.c:72
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
Flow_::protomap
uint8_t protomap
Definition: flow.h:451
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
Flow_::protoctx
void * protoctx
Definition: flow.h:447
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
detect-pcre.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
detect-dns-query.h
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:835
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
util-profiling.h
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:428
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:228
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1239
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
util-spm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1431
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1948
PrefilterMpmDnsQuery::transforms
const DetectEngineTransforms * transforms
Definition: detect-dns-query.c:137
DetectDnsQueryRegister
void DetectDnsQueryRegister(void)
Registration function for keyword: dns_query.
Definition: detect-dns-query.c:201
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
str
#define str(s)
Definition: suricata-common.h:280
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:482
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
PrefilterMpmDnsQuery::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-dns-query.c:136
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_AL_DNS_QUERY
@ DETECT_AL_DNS_QUERY
Definition: detect-engine-register.h:223
DnsQueryGetDataArgs
Definition: detect-dns-query.c:70
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
PrefilterMpmDnsQuery
Definition: detect-dns-query.c:134
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:272
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmDnsQuery::list_id
int list_id
Definition: detect-dns-query.c:135
flow-var.h
PrefilterMpmDnsQuery
struct PrefilterMpmDnsQuery PrefilterMpmDnsQuery
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
app-layer.h